Security experts last week submitted a proposal to the Internet Engineering Task Force (IETF) on standard procedures for the reporting and fixing of security vulnerabilities.

The Responsible Disclosure Process internet draft is being fronted by two well known industry names: Steve Christey, lead infosec engineer at defence company Mitre; and Chris Wysopal, director of research and development for @stake.

The proposal is pushing for vendors to acknowledge bug reports within seven days and provide updates and status reports until an issue is resolved.

The draft also suggests that vendors include clearly defined sections on their websites for bug information, and proposes a standard naming scheme for bug report mailboxes.

Security watchers have long argued that the current method of security bug reporting is disparate and chaotic at best, and often results in vulnerability details being released before patches.

A security group fronted by Microsoft submitted a draft proposal to the IETF at the end of last year which covered the entire bug reporting and vulnerability disclosure process, but is geared towards the discouragement of full disclosure.

The Christey and Wysopal proposals suggest the creation of security co-ordinators to work with bug reporters and vendors as central points of contact to ensure proper communication and testing of reported bugs.

The pair wrote: "The disclosure of vulnerability information has been a divisive topic for years.

"During the process of disclosure many vendors, security researchers and other parties follow a variety of unwritten or informal guidelines for how they interact and share information.

"Some parties may be unaware of these guidelines, or they may intentionally ignore them. This state of affairs can make it difficult to achieve a satisfactory outcome for everyone who uses, or is affected by, vulnerability information.

"Currently, vulnerability release is inconsistent and largely driven from the perspective of the party which has the greatest ability to control the process.

"In an effort to create a common framework by which objectives are met to the benefit of all parties, this document communicates a formal, repeatable process for addressing vulnerability disclosure in a responsible manner."

The full draft of the document can be found here.